Ah, that makes sense. Thank you for taking the time to reply, Martin!
- gregb
Post a reply
Before posting, please read how to report bug or request support effectively.
Bug reports without an attached log file are usually useless.
Topic review
- martin
Re: winscp.log attached
Your log files shows that the certificate is signed with a trusted authority, so the
-certificate switch is not needed.
. 2020-06-29 08:51:34.074 Certificate verified against Windows certificate store
- gregb
winscp.log attached
Hi Martin,
Log file attached. I was able to successfully connect with:
-certificate=aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
Greg
Log file attached. I was able to successfully connect with:
-certificate=aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
Greg
- Guest
looks good. I use this sytem too
- martin
Re: -certificate switch?
Please attach a full session log file showing the problem (using the latest version of WinSCP).
To generate the session log file, use
/log=C:\path\to\winscp.log command-line argument. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.- gregb
-certificate switch?
WinSCP 5.17.3
WinSCP seems to be disregarding server certificates and automatically connecting to our partners, regardless of the certificate being offered. I'm using WinSCP.com via. powershell. I know that a mistyped -certificate in the OPEN statement would previously cause the connection to fail (as it should) but I cannot remember how long ago that was, nor which WinSCP version that was. I've been using these scripts for a number of years, and the last certificate key update to this script was about 2 years ago.
Whether I connect with the valid certificate, an invalid certificate, or no certificate, this FTPS connection succeeds:
Invalid Certificate
No Certificate
Have I cached the certificate somewhere and it's overriding the CLI? I did clear the cached hosts keys (Tools > CleanUp)
I did try several of our partner sites via. WINSCP GUI and none of them prompted me to accept a hostkey.
I tried running WINSCP 5.7.6 on a new system and got the same results.
Has something changed over time that I've missed in the release notes?
Graciously,
Greg
WinSCP seems to be disregarding server certificates and automatically connecting to our partners, regardless of the certificate being offered. I'm using WinSCP.com via. powershell. I know that a mistyped -certificate in the OPEN statement would previously cause the connection to fail (as it should) but I cannot remember how long ago that was, nor which WinSCP version that was. I've been using these scripts for a number of years, and the last certificate key update to this script was about 2 years ago.
Whether I connect with the valid certificate, an invalid certificate, or no certificate, this FTPS connection succeeds:
PS C:\Windows> & "C:\program files (x86)\winscp\winscp.com" /command `"option batch abort`" `"option confirm off`" `"option exclude *downloaded*`" `"open ftps://USERNAME:password@ftpsite.company.com -passive=on -certificate='"31:a0:0f:ff:69:cc:9b:d5:10:df:98:36:b8:74:a5:9b:62:27:b1:87"' -rawsettings FtpForcePasvIp=1 ftps=2 fsprotocol=5 portnumber=20021`" `"lcd d:\abc`" `"dir`" `"exit`"
batch abort
confirm off
include |*downloaded*
Connecting to ftpsite.company.com:20021 ...
TLS connection established. Waiting for welcome message...
Connected
Starting the session...
Session started.
Active session: [1] USERNAME@ftpsite.company.com
d:\abc
D--------- 0 0 ..
Drwxrwxr-x 0 USERNAME FTP 256 Jun 15 2014 inbound
Drwxrwxr-x 0 USERNAME FTP 256 Jun 15 2014 outbound
Invalid Certificate
PS C:\Windows> & "C:\program files (x86)\winscp\winscp.com" /command `"option batch abort`" `"option confirm off`" `"option exclude *downloaded*`" `"open ftps://USERNAME:password@ftpsite.company.com -passive=on -certificate='"aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa"' -rawsettings FtpForcePasvIp=1 ftps=2 fsprotocol=5 portnumber=20021`" `"lcd d:\abc`" `"dir`" `"exit`"
batch abort
confirm off
include |*downloaded*
Connecting to ftpsite.company.com:20021 ...
TLS connection established. Waiting for welcome message...
Connected
Starting the session...
Session started.
Active session: [1] USERNAME@ftpsite.company.com
d:\abc
D--------- 0 0 ..
Drwxrwxr-x 0 USERNAME FTP 256 Jun 15 2014 inbound
Drwxrwxr-x 0 USERNAME FTP 256 Jun 15 2014 outbound
No Certificate
PS C:\Windows> & "C:\program files (x86)\winscp\winscp.com" /command `"option batch abort`" `"option confirm off`" `"option exclude *downloaded*`" `"open ftps://USERNAME:password@ftpsite.company.com -passive=on -rawsettings FtpForcePasvIp=1 ftps=2 fsprotocol=5 portnumber=20021`" `"lcd d:\abc`" `"dir`" `"exit`"
batch abort
confirm off
include |*downloaded*
Connecting to ftpsite.company.com:20021 ...
TLS connection established. Waiting for welcome message...
Connected
Starting the session...
Session started.
Active session: [1] USERNAME@ftpsite.company.com
d:\abc
D--------- 0 0 ..
Drwxrwxr-x 0 USERNAME FTP 256 Jun 15 2014 inbound
Drwxrwxr-x 0 USERNAME FTP 256 Jun 15 2014 outbound
PS C:\Windows> exit
Have I cached the certificate somewhere and it's overriding the CLI? I did clear the cached hosts keys (Tools > CleanUp)
I did try several of our partner sites via. WINSCP GUI and none of them prompted me to accept a hostkey.
I tried running WINSCP 5.7.6 on a new system and got the same results.
Has something changed over time that I've missed in the release notes?
Graciously,
Greg